IPSEC site-to-site tunnel from PFsense > Hosted VPN Service

[acao]

Outbound

• all traffic from a VLAN Interface which is on its own subnet
• will be routed through a VPN tunnel from our local network.
• configured as either an OpenVPN client or IPSEC IKEv2 tunnel

Inbound VPN Connections

• all offsite traffic, remote users, will utilize the OpenVPN Server on our PFSense router to access protected services
• they will access this through a VPN tunnel for this interface, at a hostname that is not our local IP.
• their traffic will be routed back out through the offsite VPN, possibly through a seperate tunnel and/or server

The biggest questions are:

1. Whats the optimal form of VPN protocol and authorization for us? Is OpenVPN even a suitable option for a site-to-site tunnel?
2. What are the advantages & pitfalls of self-hosted (with unlimited resources and bandwith for free) vs a third party provider such as AirVPN or Nord.
3. How can the level of pfsense configuration be as minimal as possible if accounts need to change or other minimal, long term maintenance
4. If IPSEC is our best option, how the hell do we configure PFSense to use IPSEC and IKEv2 for a site to site tunnel? This seems totally undocumented